The Hacker News — Cyber Security, Hacking, Technology News

A severe programming error has been discovered in Apple's latest macOS High Sierra 10.13 that exposes passwords of encrypted Apple File System (APFS) volumes in plain text.

Reported by Matheus Mariano, a Brazilian software developer, the vulnerability affects encrypted volumes using APFS wherein the password hint section is showing the actual password in the plain text.

Yes, you got that right—your Mac mistakenly reveals the actual password instead of the password hint.

In September, Apple released macOS High Sierra 10.13 with APFS (Apple File System) as the default file system for solid-state drives (SSDs) and other all-flash storage devices, promising strong encryption and better performance.

Mariano discovered the security issue while he was using the Disk Utility in macOS High Sierra to add a new encrypted APFS volume to a container. When adding a new volume, he was asked to set a password and, optionally, write a hint for it.

So, whenever the new volume is mounted, macOS asks the user to enter the password.

However, Mariano noticed that when he clicked the "Show Hint" button, he was served with his actual password in the plain text rather than the password hint.

You can see the demonstration of the problem in the below-given video:

This security issue is not the only one discovered in Apple's latest desktop operating system.

Just a few hours before the release of High Sierra, ex-NSA hacker Patrick Wardle publicly disclosed the details of a separate critical vulnerability that allows installed apps to steal passwords and secret data from the macOS keychain.

The good news is that Apple released a supplemental macOS High Sierra 10.13 update on Thursday to addressed both the issues. Mac users can install update from the Mac App Store or download it from the Apple's Software site.

It should be noted that just installing the update would not solve the APFS password disclosure issue. Apple has published a user guide on the password disclosure bug, which you should follow to protect your data.

Yes, attackers can take over your vulnerable Apple's iOS device remotely – all they have to do is trick you to view a maliciously-crafted JPEG graphic or PDF file through a website or an email, which could allow them to execute malicious code on your system.

That's a terrible flaw (CVE-2016-4673), but the good news is that Apple has released the latest version of its mobile operating system, iOS 10.1, for iPhones and iPads to address this remote-code execution flaw, alongside an array of bug fixes.

And now that the company has rolled out a security patch, some hackers would surely find vulnerable Apple devices to exploit the vulnerability and take full control of them.

So, users running older versions of iOS are advised to update their mobile devices to iOS 10.1 as soon as possible.

Besides this remote code execution flaw, the newest iOS 10.1 includes security updates to address 11 security flaws in the firmware for the iPhone, iPad, and iPod Touch.

Those flaws include local code execution vulnerabilities, a remote code execution bug in WebKit (CVE-2016-4677), a flaw in contacts (CVE-2016-4686) that would allow an application to pull Address Book details even when access has been revoked.

To update your iOS device go to Settings → General → Software Update.

Security Updates for Mac, Apple Watch, and AppleTV

Apple has also released security updates for Mac PCs, Apple Watches and Apple TVs.

So, Mac users are advised to update their system to macOS Sierra (10.12.1), which includes security fixes for 16 CVE-listed vulnerabilities.

Those weaknesses include an image-handling bug (CVE-2016-4673), a denial of service (DoS) error in Nvidia graphics card drivers, a bug that exposed the length of user passwords and Remote Code Execution (RCE) flaws that could be triggered by font files and PDF files, among others.

Meanwhile, Apple Watch users are recommended to update their devices to watchOS 3.1, which includes fixes for 8 security flaws.

Those flaws include 2 vulnerabilities in sandbox profiles that could allow third-party apps to view image libraries and sound files without permission.

AppleTV users are also advised to update their devices to tvOS 10.0.1, which includes patches for 10 vulnerabilities, including the WebKit remote code execution flaw, the sandbox profiles flaws, and the CoreGraphics JPEG flaw.

Are you experiencing slow Internet speed on your MacBook today? — It's not just you!

Here's Why:

Following in Microsoft's footsteps, Apple has started "pre-downloading" the latest version of its desktop operating system, macOS 10.12 Sierra, in the background, if you are still running OS X El Capitan.

If you have automatic downloads enabled on your Mac, a large file of around 5GB will mysteriously be downloaded to your computer in the background, using your Internet bandwidth for unrequested files.

Apple justifies this move by saying that the automatic download would make it easier for users to get the newest operating system, encouraging them to update their Macs.

The good news, however, is that the update will not install automatically without your permission.

Once downloaded automatically in the background, users who are running OS X El Capitan version 10.11.5 or later will receive a notification that says macOS Sierra is ready to be installed.

All you need to do is just click the Install button to get started with the update.

Thankfully, the automatic update feature is smart enough that it will only be downloaded on Mac computers that have an adequate amount of storage space and meet the specs for macOS Sierra.

So the Sierra installer will be deleted if the host Mac computer starts running low on storage.

"Apple is also being smart about the download. If your computer is low on space, macOS Sierra will not download," The Loop reports. "In addition, if it has downloaded and your computer starts to get low on space, the download will be automatically deleted."

How to Stop MacOS Sierra Automatic Download

However, the automatic update is still a bit annoying if you have no intention to update your Mac anytime soon.

If you're not ready to upgrade to the latest macOS or want to download it later, you can simply delete the Sierra installer manually to keep from being prompted to do the install.

To delete the Sierra installer, go to Finder → Applications and then look for an application called 'Install macOS Sierra' and move the application to Trash, and Empty the Trash for leaving no trace of the Sierra.

Your Mac could prompt you for your Mac login password to complete the above action.

But if you don't want a bulky 5GB update to be downloaded to your computer for first before you kick off the installation, you can disable automatic downloads from the App Store to avoid the unwanted download.

To disable the feature, you can head on to System Preferences → App Store → Automatically check for updates and then uncheck "Download newly available updates in the background."

That's it. You are done!

Now your computer will not automatically download macOS Sierra and will not prompt you to install them. You can opt back into automatic downloads in the future.

Sad but True! Your Apple’s Mac computer is vulnerable to a serious privilege escalation flaw, dubbed "RootPipe," even if you are running the latest version of Mac OS X.

What’s RootPipe?

Back in October 2014, a Swedish White Hat hacker Emil Kvarnhammar claimed to have discovered a critical privilege escalation vulnerability, he dubbed the backdoor as "RootPipe," in some versions of Mac OS X including the then newest version 10.10 Yosemite.

The vulnerability (CVE-2015-1130) could allow an attacker to take full control of your desktop Mac computer or MacBook laptop, even without any authentication.

Keeping in mind the devastating effect of the RootPipe vulnerability, the researcher privately reported the flaw to Apple and did not disclose the details of the flaw publicly until the company released a patch to fix it.

Apple did release an update but failed to patch RootPipe:

Earlier this month, Apple released the latest version of Mac OS X Yosemite, i.e. OS X Yosemite 10.10.3, and claimed to have fixed the so-called Rootpipe backdoor, which had been residing on Mac computers since 2011.

However, the company did not fix the flaw in the older versions (below 10.10) of the operating system due to uncodified Apple policy on patching, leaving tens of millions of Mac users at risk.

"Apple indicated that this issue required a substantial amount of changes on their side and that they would not backport the fix to 10.9.x and older," Kvarnhammar said in a blog post on the TrueSec website.

But here’s the worse part:

Apple’s RootPipe vulnerability patch for Mac OS X Yosemite 10.10.3 is claimed to be itself vulnerable, which again left all the Mac machines vulnerable to the RootPipe attacks.

Holy Crap!

Patrick Wardle, an ex-NSA staffer and current director of R&D at Synack, claimed to have discovered…

...a new way around Apple's security fix to reabuse the Rootpipe vulnerability, again opening path to the highest privilege level – root access.

Though this time, the attack requires a hacker to have gained local privileges, which could most likely be obtained via a working exploit of other software sitting on Mac machines.

Here’s the Video Demonstration:

Wardle has demonstrated his hack attack in action in a video proof-of-concept (POC), which you can watch below:

Wardle has already reported his findings to the Apple’s security team and would not disclose the details of his attack code public before the company will not issue a complete and unbreakable fix.

Now, let's just hope to get a tough fix for Rootpipe backdoor this time from Apple. Last time the company took nearly six months to release a patch that was fooled by Wardle sitting on a flight.

Thunderstrike, an undetectable bootkit, works by injecting an Option ROM into a Mac’s EFI. It is possible because hardware attached to a system through Thunderbolt port are not as secure as a Mac itself.

Once installed using Thunderstrike attack, the malware would be almost impossible to detect and remove.

Because the firmware used on Macs doesn’t always apply to the security of attached hardware. So "Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again.” developers told imore.

“According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed.”

So, is your Safari Web Browser Updated?? Make sure you have the latest web browser updated for your Apple Macintosh systems, as Apple releasedSafari 6.1.3 and Safari 7.0.3 with new security updates.

These Security updates addresses multiple vulnerabilities in its Safari web browser, which has always been the standard browser for Mac users.

This times not five or ten, in fact about two dozen. Apple issued a security update to patch a total of 27 vulnerabilities in Safari web browser, including the one which was highlighted at Pwn2Own 2014 hacking competition.

The available updates replace the browser running OSX 10.7 and 10.8 with the latest versions of browser 6.1.3, and OSX 10.9 with 7.0.3.

Among the 27 vulnerabilities, the most remarkable vulnerability addressed in the update is CVE-2014-1303, a heap-based buffer overflow that can be remotely exploited and could lead to bypass a sandbox protection mechanism via unspecified vector.

This vulnerability is the one used by Liang Chen of "Keen Team," a Shanghai-based group of security researchers who hacked Safari on the second day of Pwn2Own hacking competition this year held in March 12-13 at the CanSecWest security conference in Vancouver, resulting in a $65,000 reward.

The vulnerabilities involved memory corruption errors in the WebKit, which if exploited by a malicious or specially crafted website, could allow a remote attacker to execute arbitrary code on the victim's machine or completely crashing of the software as a result of DoS condition. This could also be a great starting step for injecting malware onto the victims’ computer.

Another notable vulnerability is CVE-2014-1713, reported by the French security firm VUPEN, known for selling zero-day exploits, typically to law enforcement and government intelligence agencies, and HP's Zero Day Initiative.

VUPEN also exploited several targets in this year’s Pwn2Own competition, including Chrome, Adobe Flash and Adobe Reader, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout for the IE 11 zero-day.

More than half of the bugs were fixed by the Google Chrome Security team in this latest Apple updates, as both Google's Chrome browser and Safari are powered by the WebKit framework.

Apple also specially mentioned a different flaw discovered by Ian Beer of Google's Project Zero, which could enable an attacker running arbitrary code in the WebProcess to read arbitrary files despite Safari's sandbox restrictions.

Last month, Apple issued iOS 7.1 update for iPhones, iPads and iPod Touches to patch several vulnerabilities, including the one in the mobile Safari.

Apple has released software updates and instructions on obtaining the updates at the following links: Software Updates and Safari 6.1.3 and 7.0.3. so, apple users are advised to update their Safari browser as soon as possible.

Yet another Apple vulnerability has been exposed by security researchers, that can be exploited to track your finger's every action on iOS Devices i.e. iPhone, iPad etc.

The exploit reportedly targets a flaw in iOS multitasking capabilities to capture user inputs, according to Security researchers at FireEye.

They found a way to bypass the Apple's app review process effectively and created a proof-of-concept Monitoring app for non-jailbroken iOS 7.0.x devices.

The “monitoring” app, that runs in the background of the iPhone is a Keylogger Trojan which could allow hackers to monitor user's activities on the mobile device, including - touches on the screen, home button press, volume button press and TouchID press, and send all collected events to any remote server.

According to researchers, their proof-of-concept app works on versions 7.0.4, 7.0.5, 7.0.6, and 6.1.x.

"Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring." FireEye researchers said.

In iOS devices, the application running in the background keeps on refreshing itself; but the researchers also noted that disabling iOS 7's "Background App Refresh" setting would not restrict a malicious app from keylogging.

"For example, an app can play music in the background without turning on its "background app refresh" switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring." FireEye explained, So the only present solution to the problem is to manually remove apps from the task switcher.

Earlier this week, Apple has issued an urgent update iOS 7.0.6 in response to a SSL vulnerability that might allow hackers to bypass SSL/TLS verifications on shared and public networks and steal users information from affected devices, including log-in usernames and passwords, as well as other sensitive information.

The Security firm is actively working with Apple on the issue, but until the release of next iOS update, the only thing iOS users can do - Check and monitor the unnecessary applications running on the device via Task Manager and KILL THEM.

Apple has faced a number challenges over the last year related to software errors and flaws on its flagship iPhone. According to a latest video posted on YouTube iPhone and iPad users running the latest iOS 6.1 platform can bypass the lock screen, even when a password is set.

Basically, he found that by attempting and canceling an emergency call on the iPhone, holding the lock button and then taking a screenshot took him past the stage where he should have had to enter a password to access the phone.

The flaw is relatively easy to exploit and this lets you bypass the security code and use the full Phone app. From there you have access to the address book, and the pictures app by trying to change a contacts picture.

Steps to follow:First part:-Go to emergency call, push down the power button and tap cancel.-Dial 112 and tap green and inmediately red.-Go to lock screen.Ok...ready for second part:-Go to passcode screen.-Keep pushing down the power button ...1...2...3...seconds and before showing the slider "turn off"...tap the emergency call button and ...voilá!-Then without releasing the power button press the home button and ready...

Apple has discontinued its own Java plugin, issuing an 'update' that removes it from MacOS and encourages users to instead download Oracle's version of the software. Its another step by Apple towards making OS X safer on the web.

Mac users may have noticed that Java-based websites are displaying a "Missing Plug-in" notification. The Apple Support page states that this update is for OS X 10.7 and later. Apart from stripping browsers of the Java plug-in, it also removes the Java Preferences application, since it is no longer required for applet setting configuration. Just to be clear, the update does not remove Java from your system if its installed, just the Java plugin from your web browsers.

In August, Java was blasted as an unsafe plug-in that should only be used when absolutely necessary after a zero-day exploit was discovered, rolled into the user-friendly Blackhole exploit kit and used for nearly a week before Oracle issued a patch. That patch, however, also proved to be full of security bugs.

In April this year, Apple came under the scanner for Flashback malware that threatened OS X users by exploiting a vulnerability in Java. Dubbed as a BackDoor.Flashback.39 Trojan, the virus attacked over half-a-million computers.